Date: Wed, 28 Jun 2000 16:55:38 -0700 (PDT) From: kevin@telco21.com To: freebsd-gnats-submit@FreeBSD.org Subject: conf/19569: stock IPFW rules have subtle udp hole Message-ID: <20000628235538.5059D37C2F1@hub.freebsd.org>
index | next in thread | raw e-mail
>Number: 19569
>Category: conf
>Synopsis: stock IPFW rules have subtle udp hole
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Jun 28 17:00:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Kevin Glavin
>Release: 3.X, 4.X - probably 2.x also
>Organization:
>Environment:
FreeBSD pod 4.0-RELEASE FreeBSD 4.0-RELEASE #0: Sat Jun 24 16:55:34 GMT 2000 root@pod:/u2/usr/src/sys/compile/pod i386
>Description:
ipfw stock rules have loosely defined rules for udp port 53 and the ntp port
(123 I think). the rules are defined in such a fashion that once a packet is
coming from (internet anywhere) port 53 to any port (on for example your outside
interface) 'you' assume its a DNS lookup response or once a udp packet is going
out to port 53 from any port on your outside interface 'you' assume its a dns query.
This assumption, allows me to write a port scanner that binds as port 53 on the
scanning machine and scan all udp ports on FreeBSD machines that use these rules to
allow DNS/NTP but are assuming that they have blocked all other UDP access
So if I am running another udp based service that I thought was protected
by a ipfw rules on the outside interface it may actually be wide open once the attacking
client bound to port 53 to initiate contact with the service.
>How-To-Repeat:
as part of stock install, compile kernel to use IPFW with the
'simple' rules enabled to nat an internal 192.168.X network of home PC's
>Fix:
Fix that works on certain configurations is to tightly specify
the rules as
# Allow DNS queries out in the world : note query port set to 53 in named
.conf
$fwcmd add pass udp from any 53 to ${oip} 53
$fwcmd add pass udp from ${oip} 53 to any 53
## now internet based clients bound to port 53 can only connect to named
## instead of having free reign.
#same thing for NTP
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip} 123
$fwcmd add pass udp from ${oip} 123 to any 123
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000628235538.5059D37C2F1>